Load balancing HTTP/HTTPS with Pound on Ubuntu 14.10 Server
Sponsored Link
WHAT POUND IS
a reverse-proxy: it passes requests from client browsers to one or more back-end servers.
a load balancer: it will distribute the requests from the client browsers among several back-end servers, while keeping session information.
an SSL wrapper: Pound will decrypt HTTPS requests from client browsers and pass them as plain HTTP to the back-end servers.
an HTTP/HTTPS sanitizer: Pound will verify requests for correctness and accept only well-formed ones.
a fail over-server: should a back-end server fail, Pound will take note of the fact and stop passing requests to it until it recovers.
a request redirector: requests may be distributed among servers according to the requested URL.
Pound is a very small program, easily audited for security problems. It can run as setuid/setgid and/or in a chroot jail. Pound does not access the hard-disk at all (except for reading the certificate file on start, if required) and should thus pose no security threat to any machine.
WHAT POUND IS NOT
Pound is not a Web server: by itself, Pound serves no content -- it contacts the back-end server(s) for that purpose.
Pound is not a Web accelerator: no caching is done -- every request is passed "as is" to a back-end server.
Install Pound on ubuntu 14.10
Open the terminal and run the following command
sudo apt-get install pound
Pound Configuration
Pound configuration file locate at /etc/pound/pound.cfg so you need to edit this file to make the changes
Edit the Pund Confiuration File using the following command
sudo vi /etc/pound/pound.cfg
Configuring HTTP Load balancing
We'll need delete all the content within ListenHTTP block, once done it should look like this
ListenHTTP
End
Now we add an address and port to listen on and finally a line to remove an HTTP header
ListenHTTP
Address 0.0.0.0 # all interfaces
Port 80
HeadRemove "X-Forwarded-For"
End
This is a basic configuration, for each backend we want to load balance we'll need to add a service within that listener.
You'll notice we're removing incoming headers called X-Forwarded-For, this is to make sure someone doesn't try to craft them in to a request and abuse them.
ListenHTTP
Address 0.0.0.0 # all interfaces
Port 80
HeadRemove "X-Forwarded-For"Service
BackEnd
Address 191.168.0.1
Port 80
Priority 1
End
BackEnd
Address 192.168.0.2
Port 80
Priority 1
End
End
End
Here we have added 2 BackEnds that connect to port 80, it's all pretty simple. Add as many as you want.
Pound will pass correct HTTP headers through to the backends so you configure those just like you normally would.
Configuring HTTPS Load balancing
this should only be done on a private network.
So, we'll create an HTTPS listened like the one above but with extra options.
ListenHTTPS
Address 0.0.0.0 # all interfaces
Port 443
AddHeader "X-Forwarded-Proto: https"
HeadRemove "X-Forwarded-Proto"
HeadRemove "X-Forwarded-For"
Cert "/path/to/certificate.pemService
BackEnd
Address 192.168.0.1
Port 80
Priority 1
End
BackEnd
Address 192.168.0.2
Port 80
Priority 1
End
End
End
You'll notice a few changes here, first we tell the HTTPS listener to listen on port 443 -- SSL port.
We add a header to pass back to our backend servers called X-Forwarded-Proto, this is so that on our backend we can inspect this header and use it if required to know we're secure.
We also remove incoming headers called X-Forwarded-Proto and X-Forwarded-For, this is to make sure someone doesn't try to craft them in to a request and abuse them.
Finally is the certificate which needs to be a PEM file with all certificates and keys within it and without passphrases.
Enabling Pound to start
Open the pound file
sudo vi /etc/default/pound
Change it from startup=0 to startup=1. Before doing this, Pound will refuse to start.
startup=0
to
startup=1
Starting Pound as Daemon Service
sudo /etc/init.d/pound start
Pound log file
By default pound log message using syslog:
# tail -f /var/log/messages
# grep pound /var/log/messages